The Psychology of Info Sec

Size: px

Start display at page:

Download "The Psychology of Info Sec"

Molly Gilbert
5 years ago
Views:

1 SESSION ID: GRM-R08 The Psychology of Info Sec Wayne Tufek IT Security Architect Officeworks

2 Agenda Chapter 1: Info Sec the sell Chapter 2: Human decision making in risky situations Chapter 3: Persuasion Chapter 4: Towards an Info Sec safety culture Chapter 5: What next? 2

3 Info Sec the sell

4 The Info Sec Salesman Who here today is an Info Sec salesman? 4

The Info Sec Salesman A conversation with your CFO CISO: This year I need $1 000 000 more for my security program CFO: How much

5 The Info Sec Salesman A conversation with your CFO CISO: This year I need $ more for my security program CFO: How much did you spend last year? CISO: Just what was budgeted CFO: Anything bad happen? CISO: No, nothing CFO: Great! Keep up the good work. 5

6 Chapter 1: The Info Sec Sell What do you do? How much does it cost? What value does it provide? 6

7 Chapter 1: The Info Sec Sell Risk Rewarded Unrewarded The flipside of risk is Opportunity Revenue Reputation Resilience Regulation Source: 7

8 Chapter 1: The Info Sec Sell Selling business value through the realisation of rewarded risk and the mitigation of unrewarded risk The objective of the Info Sec function is to manage risks to an acceptable level The specific risks to be managed will differ between organisations as will the level of tolerable or acceptable risk 8

9 Human decision making in risky situations

10 Chapter 2: Human decision making in risky situations Decisions involve risk Kahneman and Tversky 10

11 Chapter 2: Human decision making in risky situations Source: 11

12 Chapter 2: Human decision making in risky situations "If it takes 5 machines 5 minutes to make 5 widgets, how many minutes does it take 100 machines to make 100 widgets?" The answer "100 minutes" leaps to mind (System 1 at work), but it is wrong. But a bit of reflective thought (by System 2) leads to "five minutes," the right answer. 12

Chapter 2: Human decision making in risky situations An individual has been described as follows: Steve is very shy and withdrawn, invariably helpful but with very little interest in

13 Chapter 2: Human decision making in risky situations An individual has been described as follows: Steve is very shy and withdrawn, invariably helpful but with very little interest in people or in the world of reality. A meek and tidy soul, he has a need for order and structure, and a passion for detail. Is Steve more likely to be a librarian, a pilot, surgeon or a farmer? 13

14 Chapter 2: Human decision making in risky situations Heuristics 14

15 Chapter 2: Human decision making in risky situations Representativeness Availability Adjustment and anchoring 15

16 Chapter 2: Human decision making in risky situations Biases Optimism bias Hindsight bias Confirmation bias 16

17 Chapter 2: Human decision making in risky situations Prospect theory 17

18 Chapter 2: Human decision making in risky situations Scenario One The test subject was asked to pick between: Option A: A 100% chance of losing $3000 or Option B: An 80% chance of losing $4000, and a 20% chance of losing nothing. Scenario Two Next, choose between: Option C: A 100% chance of receiving $3000 or Option D: An 80% chance of receiving $4000, and a 20% chance of receiving nothing. 18

19 Chapter 2: Human decision making in risky situations Scenario One: An epidemic breaks out that is likely to kill 600 people if left untreated. Treatment strategy A: will save 200 people. Treatment strategy B: has 1/3 chance of saving 600 people and 2/3 chance of saving nobody. Scenario Two: An epidemic breaks out that is likely to kill 600 people if left untreated. Treatment strategy C: 400 people will die. Treatment strategy D: there is a 1/3 probability that nobody will die, and a 2/3 probability that 600 people will die. 19

20 Chapter 2: Human decision making in risky situations Mental models 20

21 Chapter 2: Human decision making in risky situations Risk and decision making in groups 21

22 Chapter 2: Human decision making in risky situations Risk communications and the factors influencing the persuasiveness of a message Order effects One-sided vs two-sided presentations Simplicity and repetition Message medium 22

23 Chapter 2: Human decision making in risky situations Combating biases Before finalising a decision, imagine that, a year after it has been made, it has turned out horribly, then write a history of how it went wrong and why hbr.org/2011/06/the-big-idea-before-you-make-that-big-decision 23

24 Persuasion

25 Chapter 3: Persuasion Influence means change and moving people in a particular direction Robert Cialdini 25

26 Chapter 3: Persuasion People repay in kind Free stuff Disabled American Veterans organisation improved response (donations) from 18% to 35% by enclosing a small gift address labels Sure glad to help. I know how important it is for me to count on your help when I need it 26

27 Chapter 3: Persuasion People want more of what they can have less of People are motivated to act by the idea of losing something rather than gaining that very thing 27

28 Chapter 3: Persuasion People like those that like them No 1 rule of sales is to like the other person Bargaining by 28

29 Chapter 3: Persuasion People follow the lead of similar others Restaurant menus, These are our most popular dishes, increased sales from 13% to 20% 29

30 Chapter 3: Persuasion People align with their public commitments UK Doctors surgery reduced no show appointments by 18% What would you like to achieve? When you made that decision in the past, I have no doubt it was the right on, but circumstances have changed. Let me show you how. 30

31 Chapter 3: Persuasion People defer to experts Trustworthiness The credible communicator who has both expertise and trustworthiness is the single most powerful communicator that social science has ever uncovered Mention a drawback 31

32 Towards an Info Sec safety culture

33 Chapter 4: Towards an Info Sec safety culture People, people people 33

34 Chapter 4: Towards an Info Sec safety culture 34

35 Chapter 4: Towards an Info Sec safety culture What is a safety culture? Product of individual and group values, attitudes, perceptions, competencies, and patterns of behaviour that determine the commitment to, and the style and proficiency of an organisations health and safety management ( The way we do things around here A set of attitudes, beliefs or norms Change health and safety to information security 35

36 Chapter 4: Towards an Info Sec safety culture 36

37 Chapter 4: Towards an Info Sec safety culture Activating the human firewall What is security awareness? Are you just checking the box? Security awareness is not easy! Engage, engage, engage Measure, measure, measure Have reasonable expectations Reinforce, reinforce, reinforce 37

38 Chapter 4: Towards an Info Sec safety culture 38

39 Chapter 4: Towards an Info Sec safety culture Implementing a safety culture Who s Info Sec safety culture consists of broadcasting facts? Framing risk communications Mental models differ between lay people and technical experts Determine the difference Tailor your Info Sec safety culture messages 39

40 Chapter 4: Towards an Info Sec safety culture Simply communicating facts such as policies, does not work Focus on the needs of your audience 40

41 Chapter 4: Towards an Info Sec safety culture Resources Judgement under uncertainty: Heuristics and Biases psiexp.ss.uci.edu/research/teaching/tversky_kahneman_1974.pdf Affect, risk and decision making Prospect Theory scf.roer.com 41

42 What next?

43 Chapter 5: What Next? Summary Info sec is selling business value through rewarded and unrewarded risk Heuristics and biases impact decision making when risk is involved How to persuade effectively How to activate the human firewall Synergies between a safety culture and security awareness Mental model approach to implementing a safety culture 43

44 Chapter 5: What Next? Next week you should: Revisit your organisation s business strategy Identify the business value your info sec function can provide Review your security strategy In the first three months following this presentation you should: Review and assess your info sec safety program (security awareness) Start selling info sec more effectively through persuasion and understanding how risk based decisions are made (heuristics and bias) Start framing risk communications more effectively Start selling business value 44

45 Chapter 5: What Next? Within six months you should: Determine your audience s mental model as it relates to your Info Sec safety and broader programs and respond accordingly 45

46 Questions? 46

47 Contact me Wayne (dot) Tufek (at) gmail.com 47